Safeguard your identity and password.
Some services and data you access are private or sensitive. Nobody should access or change your email, files, class schedules, medical history, budget, research data, or grades but you. Access to those services are authorized based on your identity. Your password is your proof of your identity. When passwords are compromised, the criminal takes on your identity and can do anything you can do (and perhaps even more!).
Passwords may be compromised by any of a number of methods. Here they are in relative order of frequency along with the things you can do to decrease risk.
You give them to criminals who fooled you with a "phishing" message or fake web site.
The ONLY site authorized to change your JMU eID password is the MyMadison portal at https://mymadison.jmu.edu. Set a bookmark in your browser or type it in. Do not follow links in email. Do not send your password in email.
This is probably the most common way passwords are compromised. It is up to you to determine if an email message or web site is real. Unfortunately, in this day and age that can be difficult. Still, some basic practices and tells can be used to validate most JMU email messages and web sites.
- how to avoid fake e-mail and web sites and protect both your JMU and personal accounts. View the video and take the IsItReal? game challenge.
- Look Where You're Going - hover over email links to make sure they're pointing to a domain associated with the message. For JMU, that would almost always be jmu.edu. For non-JMU messages, you'll need to acquant yourself with the organizations' official web sites and domains. Online tools can help. If in doubt, don't click.
- Look Where You're At - if you click a link and get to a web site, look at the browser address bar and make sure it displays a domain associated with the organization you think you're dealing with. For JMU, that would almost always be jmu.edu. For non-JMU organizations, you'll need to acquaint yourself with the organizations' official web sites and domains. Online tools can help. If in doubt, close the browser.
Criminals break into one of your service providers and steal them in bulk.
There isn't a lot you can do about a failure of security at one of your service providers but you can limit losses.
Generally, the provider protects the stored secrets with cryptography but can they can still be cracked given enough time. And if the intruder isn't detected, they're free to gather unprotected passwords as they pass through the service in real time for as long as they maintain control.
If you use the same password on multiple sites, a security failure by one site may allow the criminal to access your other sites.
- Using a unque password for each service, or at least for each level of service (e.g. financial/medical vs youtube/facebook) will limit the spread of damage from one service to another.
You type them into a compromised, untrustworthy, or shared device.
The device may be your own virus infected computer or someone else's device. The device may be set up purposely to collect passwords or may inadvertently store them...sometimes at our behest (e.g. "Would you like to remember this password?" or "Keep Me Signed In").
- Follow StartSafe procedures to set up a device with the best chance of fending off compromises and follow RUNSAFE operating advice to help keep them that way.
- Refrain from typing passwords into unknown or shared devices.
Have you logged into Gmail from a lab or library computer lately? If you didn't sign out of Gmail or restart the computer when you were done, the next person who used the computer and visited the Gmail web site was automatically logged into your Gmail account. Even if you logged out of the computer. You may experience similar issues with other services you patronize. The Amazon site will remember who you are but fortunately will make you sign in again to view any information or submit any orders.
This is all brought to you by the miracle of web cookies. They are bits of information about you that web sites store on your computer...or on a shared computer if that is what you happen to be using. When you visit the site again, the web site can retrieve them to remember information about you or even automatically log you in...even if someone else happens to be at the keyboard at the time. Google decided to make automatic login the default behavior.
What to do?
For Gmail, uncheck the box labeled "Stay Signed In" before logging in. If you forget to do that, you can still protect yourself. After you are done using the service, click your account photo or email address in the top right corner and select "sign out". (Taken from Google's Gmail Security Checklist step 9 - advice for shared computers).
Dukes email (Office 365) offers the same automatic login functionality but it is disabled by default. (The Keep Me Signed In box is unchecked)
When computers in most computer labs on campus are restarted, they overwrite everything that currently exists on the computer. They effectively reinstall themselves and you get a new computer. There are at least two benefits associated with this:
- If the computer is restarted before you use it, any malware, keystroke recording software, spyware, and similar undesirable material is overwritten. If you don't restart the computer, anything you type into it and accounts you access from it are vulnerable to whatever the previous person installed - intentionally or not.
- If the computer is restarted after you use it, any saved passwords, form data, cached web sites, tracking cookies, and other mechanisms that might affect your privacy or accounts will be overwritten.
Simply logging out does not provide those benefits. Only completely restarting the computer will overwrite the data. The downside is the time it takes to restart the computer.
Not all providers of public computers offer this functionality. Check with your provider. If they don't provide the feature, you can clear private data (e.g. cookies, cache) using the browser menus to accomplish similar results.
- Internet Explorer: Tools -> Internet Options -> General Tab -> Browsing History -> Delete
- Firefox: Tools -> Clear Private Data
- Chrome: Tools -> Clear Browsing Data
- Safari: Preferences -> Privacy -> Remove All Website Data
Keep in mind that if you log into a computer belonging to an acquaintance, the same scenarios apply.
If maximum security is required, a public shared computer should not be used.
You use vulnerable communications links or protocols.
For example, a poorly configured wireless network or a service like FTP, Telnet, or even HTTP with no S (i.e. HTTPS).
- Set up your wireless network according to present day best practices (WPA2) using strong secrets.
- Refrain from typing passwords to critical accounts through unknown wireless networks unless you are using a VPN. Even then, beware of browser security warnings (e.g. certificate mismatch) and cease use if they appear.
- Use only web sites that protect passwords and sensitive data with SSL encryption. These sites can usually be identified by their address starting with https and a browser lock icon. However, some sites may secure their login with SSL in other ways and it won't be apparant. Likewise, some sites may show https and a lock icon but pass data unsecurely. The technical details about the exceptions are beyond the scope of end user training.
- Do not use FTP sites that require a password. Responsible, professionally run sites use secure FTP (FTPS, SFTP), SCP, HTTPS, or similar protocols to pass passwords and other sensitive data when performing file transfers.
You choose a password that is easy to guess or use a password reset mechanism that is easy for a criminal to use.
For example, if you can reset your password with a secret question like "What color is my favorite sweater", how many times do you think it will take a criminal to guess the right color? Using public information for the answer to a secret question is similarly ineffective as a security measure.
- Choose password reset "secret questions and answers" carefully. Make up nonsensical answsers. Remember - the answers to most "secret questions" violate almost all accepted security practices for passwords, they're often shared with several service providers, and might be found by a determined attacker on sites like ancestry.com or intellius.com.
What to do if your password or account is compromised
Your mailbox may be full of spam, bounced messages, and angry responses and threats from those who received criminal mail from your account. The criminal may have read or deleted everything in your mailbox. They may have contacted all your friends and associates. They may have used your account to reset passwords on other accounts. But that may be the least of the problems.
For JMU accounts (e.g. eID or Dukes/Office365) follow the JMU Account Recovery steps at https://www.jmu.edu/computing/security/jmuonly/accountrecovery.shtml
For personal accounts (e.g. Gmail, Yahoo, Banking, LinkedIn, Twitter, Facebook), use the following steps as a minimum guideline. Each account may have unique issues you need to consider. The JMU Account Recovery steps might give you some ideas.
- Change passwords
- The new password must be entirely unrelated to previous ones (e.g. don't add a number to a previous password or repeat a pattern)
- If the account has the ability to do harm (e.g. password reset on other accounts, expose confidential data, perform financial transactions), the password should be unique to that account and unrelated in pattern to others.
- The password's strength (e.g. length, content) should be appropriate for the importance of the account and its ability to do harm.
- Change any secret question/answer pairs that the account allows to be used to reset passwords or otherwise gain access to the account.
- Check for modification of an email address or phone number allowed to reset the account password.
- Check the account and application's configuration very carefully for such things as added forwarding addresses or modified information. The JMU Account Recovery steps may give you ideas.
- Do all these steps for any accounts that can be used to reset the password or otherwise gain control of this account.
- Consider configuring the account to use two-step, or two-factor authentication. This keeps a criminal knowing your password from getting into your account by requiring a code from your cellphone in addition to the password to login. This is particularly important for accounts that can be used to reset passwords or otherwise gain access to other accounts.
- General Description and Caveats: http://www.pcmag.com/article2/0,2817,2456400,00.asp
- Instructions for various services: https://twofactorauth.org/
Choose a Strong Password
Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination:
- It can't be obvious. That is, it can't exist in an attack dictionary.
- Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don't want the password to have any personal significance to you...your dog's name for example. Using a dictionary word for a password is like using a locker number for a combination.
- It can't be a short
- A combination lock with a two number combination wouldn't protect very well. Anything less than an eight character password is like having a such a combination. It simply won't hold up for long. A minimum of ten characters is recommended.
- It can't be made up of just a few characters
- A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using only a numeric PIN is like using a combination lock with only ten numbers. Using only lower case letters is like using a lock with only 26 numbers. Having a mix of characters available generally makes the password stronger.
- Uppercase letters ( A-Z )
- Lowercase letters ( a-z )
- Numbers ( 0-9 )
- Punctuation marks ( !@#$%^&*()_+=- ) etc.
Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations.
How, you may ask, am I ever going to remember such a complicated password?
- Pick a sentence that reminds you of the password. For example:
- if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl)
- only Larry Ellison could afford this $70.00 textbook (oLEcat$7t)
- What time is my accounting class in Showker 240? (WtimaciS2?)
- If you absolutely have to, record it in a secure location. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a service protected by a weak password to a billion people around the world on the Internet. Just don't write down "This is my banking password".
Replace Your Strong Password When It Wears Out
One of the most unpopular security recommendations, after choosing hard to remember passwords, is the one that asks us to throw away those passwords after we finally get to the point where we can remember them.
If our ATM card gets stolen we know it. If our keys get stolen, we'll probably miss them before someone manages to copy and return them. Unlike keys or ATM cards, passwords don't have to be physically taken to be copied or used and it is unlikely we'll know they've been compromised. Once they're compromised, they can be transferred all over the world in the blink of an eye. Until someone uses the password, we won't know it. Most of us won't even know it even when they're used unless some fairly drastic action is taken with our account(s).
While our passwords are usually protected with cryptography and are often inaccessible, there are circumstances, sometimes beyond our control, when they are available either over the network or on a system.
Even when protected with cryptography, we're gambling somewhat if the password is accessible. While it may take five years to do an exhaustive search through all the possible combinations using the latest encryption scheme there are some practical points to remember:
- Modern computers and methods can crack passwords extremely fast.
- If we don't follow the rules about strong passwords, modern tools and methods will likely crack it in very little time. Passwords that exist in dictionaries used for attack lookups are often cracked in hours and sometimes in as little as seconds. The tools are programmed to try the things that experience has shown people pick for their passwords.
- Even if we choose a strong password forcing the tool to do an exhaustive search of all possible combinations, perhaps even 10100 of them, it is not impossible that a random guess will get it right on the first try, or in the first hour, or the first day.
- Computers don't get tired of trying. If someone has our encrypted password in hand, or if they can continually try logging in to our system without locking the account, they can sleep while their computer continues to chug along making guess after guess.
- People make mistakes. They sometimes type their password on the wrong computer, the wrong screen, or the wrong program. Administrators make mistakes. Security folks make mistakes. Everybody makes mistakes. All it takes is once.
- Software is not perfect. Some programs don't use the latest cryptographic protection. Some use none at all.
- Networks are not perfect. Some systems are more secure than others. Passwords get reused and/or passed around.
Lots of things can result in the compromise of a password. If that password protects a lot of things or if it protects things that are important, isn't it worth the trouble to rejuvenate it once in a while by changing it?